The first discussion of LuxTrust's root inclusion request was here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/sT1wTJ2RIEMJ
The discussion resulted in 3 action items, and LuxTrust has responded to
those action items here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/erw3ToheAQAJ
To summarize:
> 1) Resolve the concerns that were raised about CRL and OCSP.
LuxTrust plans the implementation of ... solutions by the end of January
2016.
We will need to check the new OCSP solution before closing this second
discussion. But, we can review the updated CP/CPS documents in the
meantime.
> 2) Stop issuing certs with SHA-1 based signatures, and certs with
"Netscape Cert Type" extension (especially in this CA hierarchy)
LuxTrust confirms that no SSL and code-signing certificate issued under
the LTGRCA hierarchy use the SHA-1 hash algorithm, as described in the
SSL and code signing profiles of the LTGRCA CP v1.22.
Netscape Cert Type: LuxTrust confirms that the certificates issued under
the LTGRCA hierarchy do not contain the “Netscape Cert Type” extension,
as described in the certificate profiles of the LTGRCA CP v1.22.
> 3) Update the CPS documents to respond to Ryan's comments in the
discussion
To address these concerns, LuxTrust has updated their CP/CPS documents,
and provided them on their website:
Document Repository:
https://repository.luxtrust.lu
LTGRCA CP v1.22:
https://www.luxtrust.lu/upload/data/repository/LuxTrust%20Global%20Root%20CA%20-%20Certificate%20Profiles%20v1%2022.pdf
LTGRCA CPS v1.09:
https://www.luxtrust.lu/upload/data/repository/LuxTrust_Global_Root%20CA_Certification_Practice_Statements_v1_09.pdf
LTSSLCA CPS v1.3:
https://www.luxtrust.lu/upload/data/repository/LuxTrust%20SSL%20CA%20CPS%20v1.3.pdf
The updated documents look good to me, and I believe the updates address
the concerns that were raised in the first discussion, here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/ACHCpG2KCpYJ
So, please review their updated CP/CPS documents, and respond in this
discussion if you have any further questions or concerns about this
request to include the "LuxTrust Global Root" root certificate, turn on
the Websites trust bit**, and enable EV treatment.
Thanks,
Kathleen
** The original request was to enable the Code Signing trust bit too,
but Mozilla is no longer enabling the Code Signing trust bit because we
plan to remove that trust bit in the next version of Mozilla's CA
Certificate Policy.
https://wiki.mozilla.org/CA:CertificatePolicyV2.3